Granting access to a service

Using the DC/OS web interface

Log into the DC/OS web interface as a user with the superuser permission.

Figure 1. DC/OS web interface login screen

Select Organization and choose Users or Groups.

Select the name of the user or group to grant the permission to.

Figure 2. Select user to grant permissions

From the Permissions tab, click ADD PERMISSION.

Click INSERT PERMISSION STRING to toggle the dialog.

Copy and paste the permission in the Permissions Strings field. Choose the permission strings based on your security mode.

Figure 3. Copy and paste permissions string.

Permissive

DC/OS service access:

Specify your service (<service-name>) and action (<action>). Actions can be either create, read, update, delete, or full. To permit more than one operation, use a comma to separate them, for example: dcos:service:marathon:marathon:services:/<service-name> read,update.

Strict

DC/OS service access:

Specify your service (<service-name>) and action (<action>). Actions can be either create, read, update, delete, or full. To permit more than one operation, use a comma to separate them, for example: dcos:service:marathon:marathon:services:/<service-name> read,update.

Granting access to a service in a service group

Via the DC/OS web interface

Log into the DC/OS web interface as a user with the superuser permission.

Figure 3. DC/OS web interface login screen

Select Organization and choose Users or Groups.

Select the name of the user or group to grant the permission to.

Figure 4. Select user to grant permissions

From the Permissions tab, click ADD PERMISSION.

Click INSERT PERMISSION STRING to toggle the dialog.

Figure 5. Add permission

Copy and paste the permission in the Permissions Strings field. Choose the permission strings based on your security mode.

Permissive

DC/OS service access:

Specify your service (<service-name>), group (<gid>), and action (<action>). Actions can be either create, read, update, delete, or full. To permit more than one operation, use a comma to separate them, for example: dcos:service:marathon:marathon:services:/<service-name> read,update.

Strict

DC/OS service access:

Specify your service (<service-name>), group (<gid>), and action (<action>). Actions can be either create, read, update, delete, or full. To permit more than one operation, use a comma to separate them, for example: dcos:service:marathon:marathon:services:/<service-name> read,update.

Via the CLI

To grant permissions to a group instead of a user, replace users grant <uid> with groups grant <gid>.

Permissive

DC/OS service access:

Grant the following privileges to the user uid for a particular service (<service-name>).

dcos security org users grant <uid> dcos:adminrouter:service:marathon full
dcos security org users grant <uid> dcos:service:marathon:marathon:services:/group/<service-name> full --description "Controls access to a service or service group <service-name> inside a group called group"

Strict

DC/OS service access:

Grant the following privileges to the user uid.

dcos security org users grant <uid> dcos:adminrouter:service:marathon full
dcos security org users grant <uid> dcos:service:marathon:marathon:services:/group/<service-name> full --description "Controls access to a service or service group <service-name> inside a group called group"

DC/OS service tasks and logs:

Grant the following privileges to the user uid for a particular service (<service-name>).

Granting a user access to a service group

Via the DC/OS web interface

Log into the DC/OS web interface as a user with the superuser permission.

Figure 5. DC/OS web interface login screen

Select Organization and choose Users or Groups.

Select the name of the user or group to grant the permission to.

Figure 6. Select user to grant permissions

From the Permissions tab, click ADD PERMISSION.

Click INSERT PERMISSION STRING to toggle the dialog.

Figure 7. Add permissions

Copy and paste the permission in the Permissions Strings field. Choose the permission strings based on your security mode.

Permissive

DC/OS group access:

Specify your group (<gid>) and action (<action>). Actions can be either create, read, update, delete, or full. To permit more than one operation, use a comma to separate them, for example: dcos:service:marathon:marathon:services:/<service-name> read,update.

Strict

DC/OS group access:

Specify your group (<gid>) and action (<action>). Actions can be either create, read, update, delete, or full. To permit more than one operation, use a comma to separate them, for example: dcos:service:marathon:marathon:services:/<service-name> read,update.